skinny support in zone-based firewall?

b.henshaw · ‎08-27-2006

I'm running CME4.0 & IOS 12.4(9)T on a 2801. I've configured the 'new' zone-based firewall and I'm using this instead of the old 'ip inspect' lines and traditional CBAC config.

Currently, if I have the voice interface on the router in a zone and inspect TCP & UDP traffic, I can make phone calls out (via FXO) and the remote party can hear me, but I can't hear them - presumably the return call traffic isn't being permitted by the firewall. If I take the voice interface out of the zone, it works fine.

Does anyone have any guidance on the best way to permit skinny traffic from IP phones to the router and vice versa?

The router seems unable to accept a 'match skinny' line in any class-map used by a policy-map which is attached to a zone with 'self' as either the source or destination. When I try to add 'match skinny' to the class I receive the following error:

%Protocol not supported for self-zone traffic inspection in policy-map voice2self-pol on zone-pair voice2self

Is there an alternative way to tell the router to inspect skinny traffic from phones to the router? I want to avoid any strangeness I might induce if I use CBAC-style inspect lines /as well as/ the zone-based firewall.

And if I don't have the voice interface in a zone, then the phones won't be able to talk to the other zones which will be a requirement in the future.

Any ideas appreciated.

wong34539 · ‎09-01-2006

Although the router offers a default-allow policy between all zones and the self zone, if a policy is configured from any zone to the self zone, and no policy is configured from self to the traffic's source zone, all router-originated traffic will encounter the source self policy on its return to the router and will be blocked.Refer the following URL for more info

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_paper0900aecd804b5924.shtml